Bitcoin and Tor have become perhaps the two most widely used software tools for maintaining anonymity on the Web. Now they’re about to be stitched together–a move that could make a large swathe of the Bitcoin network significantly stealthier.
Bitcoin core developer Mike Hearn says that an upcoming version of bitcoinj, the software that powers many of the most popular Bitcoin apps like Multibit, Hive, and Android Wallet, will route all connections to the Bitcoin network over Tor’s anonymity network. When users of those apps buy or sell Bitcoins, their transactions will be sent through Tor’s system of three encrypted hops through computers around the world before they reach another Bitcoin node.
Hearn, who leads the Bitcoin Foundation’s law and policy committee and works as a Google engineer, tells me he built a prototype of the Tor-enabled Bitcoin software in January. Another well-known Bitcoin developer who calls himself devrandom is working to have the integration ready for public use in about a month, according to Hearn. When it’s released, Hearn says the Tor upgrade to Bitcoin will represent a serious improvement on the privacy of Bitcoin’s transactions.
“The fact I use Bitcoin isn’t a secret, but I don’t want all my transactions in an NSA database,” Hearn says. “When I use Bitcoin in a bar, I don’t want someone on the local network to learn my balance. The way Bitcoin is used today, both those things are possible.”
Despite Bitcoin’s use in anonymous dark web applications like the Silk Road black market for illegal drugs, the cryptocurrency’s privacy properties have never been as foolproof as many users imagine. All transactions on the Bitcoin network can be traced on the public ledger of Bitcoin movements known as the blockchain, the same mechanism used to prevent forgery and fraud in the Bitcoin economy. But the blockchain tracks only pseudonymous Bitcoin addresses, not users’ real names or other identifying details, and users can further hide their identities by mixing up their bitcoins with those of other users on “mix” or “laundry” services.
Adding Tor into the Bitcoin apps addresses another hole in the cryptocurrency’s privacy protections. Aside from the record of Bitcoin transactions stored on the blockchain, anyone capturing Internet traffic could also potentially trace the source of a Bitcoin payment back to the IP address where it originated. Thanks to that IP tracking, it’s “possible that the NSA and GCHQ have de-anonymized most of the blockchain by now,” Hearn says.
Tor’s trick of bouncing that connection through proxies around the world would make that sort of IP-tracing surveillance much more difficult, Hearn says. And he argues that Tor also offers protection from an even more serious security problem: If a Bitcoin user connects to an untrusted Wifi network, it’s possible a malicious hacker might be able to spoof the entire Bitcoin network, such that the user might be tricked into thinking he or she has been paid Bitcoins that never actually existed.
Tor would prevent that scam by ensuring that users are connecting to valid Tor nodes, which are tracked by Tor’s seven “directory authorities.” “Tor isn’t really as decentralized a network as Bitcoin: It has these seven directory servers,” says Hearn. “When you connect to the Internet through Tor, you can verify with one of those directories that it’s a real Tor node.”
Some Bitcoin wallets such as Electrum already route users’ traffic over Tor. But the integration of Tor’s privacy features with bitcoinj means it will be expanded to far more users–likely the majority of Bitcoin wallets that are hosted offline rather than as a Web service.
Even with connections running over Tor, though, bitcoinj’s protection of a user’s IP address won’t be perfect. A feature of the software known as Bloom Filters designed to make Bitcoin wallets more efficient by seeking out transactions relevant to the user also reveals identifying information about them, points out Peter Todd, an anonymity-focused Bitcoin engineer who works for Bitcoin startup Mastercoin. Todd suggests that more privacy-focused Bitcoin wallets like the yet-to-be-released Dark Wallet may better solve the problem by avoiding Bloom Filters.
“[Tor] is only part of the solution. The problem is that your client has to tell the other side what coins they’re interested in,” says Todd. “The way Bloom Filters work leaks a lot of info about what coins you own.”
Hearn counters that Bloom Filters will be updated in future implementations to reveal less identifying information, and argues that regardless, integrating Tor is an important step in protecting bitcoiners’ privacy. “There are no silver bullets in this space,” says Hearn. “But this will make [surveillance] much harder for sure.”
Follow me on Twitter , email me, anonymously send me sensitive documents or tips , and check out the new paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers.